[Hacktoberfest] Fix security vulnerability related with the doctoc dependency.

[ahmetoz]

Situation
Doctoc on the devDependencies of extension app has vulnerability on the trim package.
The latest possible version that can be installed is 0.0.1 because of the following conflicting dependency:

[email protected] requires [email protected] via a transitive dependency on [email protected]

Complication
CVE-2020-7753

Vulnerable versions: < 0.0.3
Patched version: 0.0.3
All versions of package trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().

Resolution
Upgrade trim to version 0.0.3 or later. For example:

"devDependencies": {
"trim": ">=0.0.3"
}

[absolutic]

Hi @ahmetoz, I want to fix this issue as part of Hacktoberfest, but proposed resolution does not work because remark-parse just installs trim 0.0.1 in own local node_modules in this case.
I tried the solution with npm-force-resolutions package, it works well for dev mode but requires call to npx npm-force-resolutions as a part of preinstall script even for production mode which is not good.
How do you think may I proceed with npm-force-resolutions solution?

[ahmetoz]

Hey @absolutic thanks for the investigation. The issue effecting only development packages so I would not use npm-force-resolutions for now.

Looks like the issue is discussed here: thlorenz/doctoc#205, could you check if there is a solution or alternative approach ?

[AndrewSouthpaw]

Hey, one of the doctoc maintainers here, we patched that in v2.0.1. Let us know if you're still seeing problems!

[lojzatran]

We already updated to newest version of doctoc and the problem is fixed now! Thank you.

I'm closing this issue now.